Commit 9c101fd4 authored by KAMBAROV, ZAUR's avatar KAMBAROV, ZAUR Committed by Linus Torvalds

[PATCH] coverity: ipmi_msghandler() channels array overrun fix

We fix the check in 1084, which was

1084 			if (addr->channel > IPMI_NUM_CHANNELS) {
1085 				spin_lock_irqsave(&intf->counter_lock, flags);
1086 				intf->sent_invalid_commands++;
1087 				spin_unlock_irqrestore(&intf->counter_lock, flags);
1088 				rv = -EINVAL;
1089 				goto out_err;
1090 			}

addr->channel is used in

1092 			if (intf->channels[addr->channel].medium

Definitions involved:

221  		struct ipmi_channel channels[IPMI_MAX_CHANNELS];

134  	#define IPMI_MAX_CHANNELS       8

In /linux-2.6.12-rc6/include/linux/ipmi.h
148  	#define IPMI_NUM_CHANNELS 0x10
Signed-off-by: default avatarZaur Kambarov <zkambarov@coverity.com>
Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent a77e3362
...@@ -1088,7 +1088,7 @@ static inline int i_ipmi_request(ipmi_user_t user, ...@@ -1088,7 +1088,7 @@ static inline int i_ipmi_request(ipmi_user_t user,
long seqid; long seqid;
int broadcast = 0; int broadcast = 0;
if (addr->channel > IPMI_NUM_CHANNELS) { if (addr->channel >= IPMI_MAX_CHANNELS) {
spin_lock_irqsave(&intf->counter_lock, flags); spin_lock_irqsave(&intf->counter_lock, flags);
intf->sent_invalid_commands++; intf->sent_invalid_commands++;
spin_unlock_irqrestore(&intf->counter_lock, flags); spin_unlock_irqrestore(&intf->counter_lock, flags);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment